JD Resume Tailor

Security checks across malware telemetry and agentic risk

Overview

This resume tool appears useful and purpose-aligned, but it understates its privacy and access behavior around saved personal data and optional URL fetching.

Install only if you are comfortable storing a local resume-profile.md with personal resume data in the workspace. Prefer pasted job descriptions over URLs for privacy-sensitive applications, review or delete the saved profile when done, and verify generated resumes before sending.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

High

Confidence: 95% confidence
Finding: The skill collects and stores highly sensitive personal data, including birth date, gender, phone, email, and employment history, into workspace files without a clear upfront privacy warning, minimization guidance, or consent checkpoint. This is dangerous because users may disclose more PII than necessary, and persistent local storage increases the risk of accidental retention, later exposure, or unintended reuse by other tools or users with workspace access.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal